Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding Working, Port Translation Not

    NAT
    4
    9
    810
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nowell29
      last edited by

      Hi guys.  I really tried to do my homework.  I have been through the troubleshooting guides, other posts, and tried this on different installs, but I am stumped.  This is something I used to do with DD-WRT, and I have since tried it on 3 different pf installs (meaning I tried going back to vanilla install to rule out anything else).

      I have a truly public IP on the WAN, and LAN is 10.10.10.X.  Using 2.4.0

      I can successfully port forward 80 at the WAN IP to 80 on an internal IP. 
      I can successfully port forward 443 at the WAN IP to 443 on an internal IP.
      I can successfully port forward 3389 at the WAN IP to 3389 on an internal IP.
      You get the picture.

      Now, I CANNOT ssh to non-standard port and TRANSLATE to standard port inside.  Example: ssh -p 22345 <external ip="">I can SSH successfully to this host from inside the LAN, but not through this translation.  I can even see the systemlog Firewall show a green checkmark, but nothing seems to actually be making it to the server itself.

      Been doing SSH for years.  Nothing is actually reaching the server (when trying to go through the port).  Ironically, I can get shell on pf and ssh just fine using standard port.  The server is running standard port 22.  I was translating fine with a DD-WRT setup prior to putting pf in its place.  As stated above, I can ssh to this server on 22 from inside.  And I could ssh to non-standard port until I switched to pf.

      Here is what I have setup (having gone back and tried different this and thats but none working)
      WAN TCP * * WAN Address  22345  10.10.10.6  22  ssh-rule
      IPv4 TCP * * 10.10.10.6  22  * none  ssh-nat

      I would love some help.  I thought maybe there was an extra step since translation was involved, but nothing I have tried makes a difference, and I couldn't find any documentation that suggested it needed anything more.</external>

      1 Reply Last reply Reply Quote 0
      • N
        nowell29
        last edited by

        Have I stumped you all?  :)

        I would love some feedback if anybody has some ideas.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          So your just wanting to hit 22345 on your wan, and then send that to 22 on 10.10.10.6

          Yeah that should work clickity clickity.. You have validated that 22345 is actually hitting your wan?  Maybe its not allowed out from where your trying to ssh from?  That would explain why your other standard ports work.  Those are allowed out, but this 22345 is blocked?

          did you make sure that 22345 was not locked up in a state already?  After you created your forward on pfsense?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • N
            nowell29
            last edited by

            So here I am again. Same issue. I am embarrassed to say I don't recall how I fixed this last time.
            Same setup. I have a server with two NICs. One is dedicated to pfsense, and the other is out to the LAN. pfsense is a VM on kvm. It works great as a gateway/firewall. I have working port forwarding on standard non-translated ports. If it comes in 80 for my web, it works. If it comes in rdp, it works. But I want to make SSH use a different port.
            I can SSH to internal server on 22 just fine. I can even SSH from pfsense to the server inside. But going across the port translation it will not work.
            I have done this fine by using a dd-wrt router in place of the pfsense. So I know that the ISP is not blocking ports. It is the introduction of pfsense that breaks a working setup.
            Nothing from above is different. I had to move to a different server chassis since the last one kicked the bucket and 'my backup' file seems to be missing. Shame on me. :)
            Are there other settings that will 'get ya'? I even turned off bogon and private network blocks just in case, no different.

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire
              last edited by

              In Firewall/NAT, edit or create a rule. For Destination Port Range pick Other and enter 22345, in both the From and To sections.

              Under Redirect Target IP, enter the LAN IP and in Redirect Target Port, pick SSH.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • N
                nowell29
                last edited by

                Thank you teamits. This is exactly what I have. I couldn't think it could be more straight forward than that. However, it just isnt working.

                1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire
                  last edited by

                  When you created it did you have "NAT reflection" set to use the system default, and "Filter rule association" set to "add associated filter rule"? If you did the latter there will be a "Linked rule" icon on the left side of the NAT rules. If you didn't, you need to add a firewall rule on WAN from * to destination of the LAN IP on destination port 22.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • N
                    nowell29
                    last edited by nowell29

                    And again, the rule was recreated automatically as it should.

                    I keep going back to 'there has to be something fundamentally obvious i am forgetting' that will probably be worthy of a face palm when i find it. I really appreciate your help and attention.

                    Yesterday I scraped it all, did a factory reset, and rebuilt my settings, including trying a different port. I even removed a digit from 22345 to just 2234, no difference. RDP continues to work,but no port translation, only NAT+port forward.

                    I've done this for years. Iptables, dd-wrt, even POS linksys or netgear stuff. Pfsense is the only fw I'm having issues with. Same ISP btw.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Screenshots.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.